Workgroup not visible to Leap 15.0 machines

I have just installed Leap 15.0 on two of our computers, the third still has 42.3. I am trying to make the Samba network function and it does, up to a point. But it’s driving me crazy.

First there is inconsistency: smbtree on any of the three machines sometimes gives only one member, sometimes two, sometimes all three. The change appears to occur even while they are idle. On the other hand, using Dolphin on the 42.3 machine, I can see the workgroup, CHUPARROSAS, and the folders on the two 15.0 machines, and sometimes the 42.3 itself and its folders.

Second, even though I see 1, 2 or 3 computers with smbtree, neither of the 15.0 machines shows the workgroup in Dolphin, much less the computers or the folders on the computers. firewalld off or firewalld on makes no difference.

There is another little quirk with regard to file sharing. The 42.3 machine can upload to one of the two 15.0 machines, “Elite”, but not to the other, “Envy”. The setups appear identical to me, except that when I set the Properties of the folder on Envy to “Share with Samba (Microsoft Windows)”, “Allow Guests” with “Full Control”, etc., it doesn’t stay that way, but it does show up in the smbtree, and I can see and download the contents on the 42.3 machine, but I can’t upload: “access denied”. I have checked and rechecked the permissions and can’t find any difference in setup between “Elite” and “Envy”

@Simpleguy:

It could be that, the Firewall is blocking the Windows network broadcasts.

If you haven’t already done so, install the “yast2-firewall” package. Then take a look at the Firewall settings.

  • If the machines are connected to a local LAN which accesses the Internet via a Router with a built-in Firewall then,

» Set the LAN interfaces to the Firewall Zone “trusted”.

Leap 15 is using a newer samba version and SMBv1.0 has been deprecated (due to security vulnerabilities). Unfortunately, samba relied on NT1 to provide samba discovery (and smbtree still makes use of that actually). See my previous thread on this subject
https://forums.opensuse.org/showthread.php/534254-Dolphin-Unable-to-find-any-workgroups-in-your-local-network?p=2889380#post2889380

This may be of interest…
https://www.cyberciti.biz/faq/how-to-configure-samba-to-use-smbv2-and-disable-smbv1-on-linux-or-unix/

There is another little quirk with regard to file sharing. The 42.3 machine can upload to one of the two 15.0 machines, “Elite”, but not to the other, “Envy”. The setups appear identical to me, except that when I set the Properties of the folder on Envy to “Share with Samba (Microsoft Windows)”, “Allow Guests” with “Full Control”, etc., it doesn’t stay that way, but it does show up in the smbtree, and I can see and download the contents on the 42.3 machine, but I can’t upload: “access denied”. I have checked and rechecked the permissions and can’t find any difference in setup between “Elite” and “Envy”

That is likely related to authentication changes that were made. I’ll let others advise further here.

Hmmm …
I need to set the following in ‘/etc/samba/smb.conf’ to successfully access the existing SMB shares (DSL-Router; QNAP NAS; Windows 7 box) on this LAN from a Leap 15.0 system – KDE Plasma 5; Dolphin version 17.12.3:


        client min protocol = NT1
        client max protocol = SMB3

Yes, that is what is required for Samba network neighbourhood style discovery (via NetBIOS broadcasts), but exposes such hosts to well published security risks.

Thanks to all who gave responses.

With the 42.3 computer off, firewalld on or off gives the same result for the 15.0 machines: smbtree shows workgroup, machines and folders to be shared; Dolphin shows nothing, not even the famous misleading red error message suggesting that the firewall may be to blame.

I have never understood why file sharing is so hard for the user to set up. I have been using OpenSUSE since version 10.1, and it is always a challenge to find and execute all the separate steps to make Samba work. This latest version is worse, in part because firewalld is such a mess, but that’s not the only new problem.

Meanwhile, I transfer small files by composing a draft email on one computer with the file as attachment and then opening the draft on the other computer and downloading it.

We have no Windows computers, so perhaps the right answer would be to use NFS. I’ve never tried it, so any thoughts on that option would be appreciated.

First, regarding "various NetBIOS “well published security risks,”
I don’t know that any vulnerabilities are unpatched, leaving only possible DDOS attacks any UDP protocol could be vulnerable to… But, NetBIOS Name Resolution should never be exposed to a public network (like the Internet) anyway. So, if using updated software and configured according to Best Practices I don’t know that there is an imminent danger although I would still never recommend implementing because there is a better alternative…

NetBIOS name resolution was part of NT Domain security (and SAMBA 3).
No one should still be running either of these two old style Domain based Network Security, we should all be running either Active Directory or SAMBA 4 which nearly fully integrate with each other (and if you don’t have multiple DCs, there are no compatibility issues).
Although SAMBA 4 can support the old NetBIOS name resolution for backwards compatibility, it should instead be using DNS.
Like NetBIOS name resolution, DNS can also be subject to a DDOS so there is little difference regarding DDOS vulnerability…

To support Domain and Workgroup browsing(aka Network Neighborhood on MSWindows), you need to configure directed queries via DNS instead of depending on broadcasts which can become unreliable anyway…

The following SAMBA article describes how to configure DNS integrated with your SAMBA

https://wiki.samba.org/index.php/DNS_Administration

Your network should function better configured this way…

TSU

Yes, that’s due to the reason I outlined already regarding NetBIOS broadcasts.

We have no Windows computers, so perhaps the right answer would be to use NFS. I’ve never tried it, so any thoughts on that option would be appreciated.

Or use SFTP file sharing with Dolphin perhaps.

Yes, exactly; «If Linux or, UNIX® or, Mac, use NFS».
Please examine the NFS Auto-Mounter – the systemd “autofs.service”.

Please don’t be scared off by the following text in the openSUSE documentation:

In the default configuration, NFS completely trusts the network and thus any machine that is connected to a trusted network. Any user with administrator privileges on any computer with physical access to any network the NFS server trusts can access any files that the server makes available.

It’s almost true but, not quite:

  • NFS respects the Linux/UNIX® file mode bits (r w x) and the related file access (owner group other):

Part of the exercise of setting up an NFS server, revolves around deciding which directories are to be exported and, the ownership and mode bit settings of those directories.
When setting up a system which exports directories via NFS, consider introducing User Group directories below the /home/ directories and then moving all the user Home directories into the appropriate User Group directories – NFS export only those User Groups which need to be exposed to the network …

Will you need Kerberos and LDAP?

  • Yes, for the case of a commercial office network.
  • For a private (home) network, not really needed but, possibly “nice to have” if you are prepared to accept the administration overhead …

NFS sounded good, so I proceeded to try to set up a server, and got the message

“Firewall not configurable:
Some firewald services are not available:
-nfs-kernel-server (Not available)
These services must be defined in order to configure the firewall.”

I’m stumped.

In spite of all the trouble I have had with firewalld, I have resisted going back to the Yast2 firewall, but maybe I’ll have to.

Install nfs-kernel-server with

sudo zypper in nfs-kernel-server

and make sure that the service is started.

This guide may be of value to you as well
https://www.hiroom2.com/2018/06/12/opensuse-15-nfs-kernel-server-en/

Thanks for the suggestions. Here is what I did:

 	 	 	   Shannon@Elite:/etc/samba> sudo zypper in nfs-kernel-server 

[sudo] password for root:
Loading repository data…
Reading installed packages…
‘nfs-kernel-server’ is already installed.
No update candidate for ‘nfs-kernel-server-2.1.1-lp150.4.6.1.x86_64’. The highest available version is already in
stalled.
Resolving package dependencies…

Nothing to do.
Shannon@Elite:/etc/samba> sudo systemctl enable nfsserver
[sudo] password for root:
Shannon@Elite:/etc/samba> sudo systemctl restart nfsserver
Shannon@Elite:/etc/samba> sudo firewall-cmd --add-service=nfs --permanent
Warning: ALREADY_ENABLED: nfs
success
Shannon@Elite:/etc/samba> sudo firewall-cmd --reload
success
Shannon@Elite:/etc/samba>

I then rebooted and I get the same error message as before about firewalld when trying to set up the NFS server.

I haven’t had time to dig in to this further, but just in case it’s a connection tracking config issue (apologies if I’m on the wrong track here)…
https://firewalld.org/2016/10/automatic-helper-assignment
It is disabled by default for security reasons, but may need to be enabled ie ‘AutomaticHelpers=yes’ in /etc/firewalld/firewalld.conf

This can also be enabled via the firewall-config GUI: Options > Configure Automatic Helper Assignment…

Thanks for your response. I already had automatic helpers set to “yes”.

This all seems very complicated to simply do file sharing between two computers.

This thread has moved off topic really, and ideally a new thread requesting NFS server configuration help would have been preferable. For sharing files between two machines I wouldn’t have used NFS at all. Both then need to be set up as servers and clients. From what you’ve posted so far, it looks like you didn’t yet configure any NFS exports yet. You could report back with

systemctl status nfs-server.service
showmount -e

BTW, I already recommended using sftp for 'casual file sharing, (or fish:// protocol). As long as the sshd is active on each machine and the necessary firewall config made (if active), it’s as simple as using the following in the Dolphin location bar

sftp://username@server_name_or_ip address
fish://username@server_name_or_ip address

 > systemctl list-unit-files | grep -i 'nfs'
proc-fs-nfsd.mount                                               static
var-lib-nfs-rpc_pipefs.mount                                     static
nfs-blkmap.service                                               disabled
nfs-idmapd.service                                               static
nfs-mountd.service                                               static
nfs-server.service                                               enabled
nfs-utils.service                                                static
nfs.service                                                      disabled
nfsserver.service                                                enabled
nfs-client.target                                                disabled
 >

Please note the systemd “.service” and “.target” suffixes.
I use the auto-mounter service – therefore the NFS Client service is disabled …


 # systemctl status nfs.service
● nfs.service - Alias for NFS client
   Loaded: loaded (/usr/lib/systemd/system/nfs.service; disabled; vendor preset: disabled)
  Drop-In: /run/systemd/generator/nfs.service.d
           └─50-insserv.conf-$remote_fs.conf
   Active: inactive (dead)
 # 

Enough said …

You’re right! I have used Samba in the past, and don’t see why I shouldn’t be able to use it now. So here’s the original problem:

I have set up everything for Samba that I know how to set up, and when I do smbtree with firewalld on, I get (on both of my two Leap 15.0 computers):

Shannon@Elite:~> smbtree
CHUPARROSAS
\ENVY Samba 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUS
\ENVY\Officejet_7610_fax Officejet_7610_fax
\ENVY\Officejet_7610 Officejet_7610
\ENVY\IPC$ IPC Service (Samba 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64)
\ENVY
etlogon Network Logon Service
\ENVY\Share_Envy
\ENVY\print$ Printer Drivers
\ENVY\groups All groups
\ENVY\users All users
\ENVY\profiles Network Profiles Service
\ELITE Samba 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUS
\ELITE\Officejet_7610_fax Officejet_7610_fax
\ELITE\Officejet_7610 HP Officejet 7610 Series, hpcups 3.17.9
\ELITE\IPC$ IPC Service (Samba 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64)
\ELITE
etlogon Network Logon Service
\ELITE\Share_Elite
\ELITE\print$ Printer Drivers
\ELITE\groups All groups
\ELITE\users All users
\ELITE\profiles Network Profiles Service
Shannon@Elite:~>

With firewalld off, I get the same thing - nothing on Dolphin. Meanwhile, my old 42.3 machine sees everything!

When I try to use Dolphin (selecting “Network”, then “Samba Shares”) to see the folders “Share Envy” and “Share Elite”, I don’t even see the workgroup “Chuparrosas”. No error message, nothing.

Shannon@Elite:~> systemctl status nfs-server.service
● nfs-server.service - NFS server and services
Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/nfs-server.service.d
└─nfsserver.conf, options.conf
/run/systemd/generator/nfs-server.service.d
└─order-with-mounts.conf
Active: active (exited) since Sun 2019-05-05 07:24:54 CDT; 1h 19min ago
Main PID: 1800 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/nfs-server.service

Shannon@Elite:~> sudo showmount -e
[sudo] password for root:
Export list for Elite:
/home/Shannon/Share_Elite *

Shannon@Elite:~> systemctl list-unit-files | grep -i ‘nfs’
proc-fs-nfsd.mount static
var-lib-nfs-rpc_pipefs.mount static
nfs-blkmap.service disabled
nfs-idmapd.service static
nfs-mountd.service static
nfs-server.service disabled
nfs-utils.service static
nfs.service disabled
nfsserver.service enabled
nfs-client.target disabled

How do enable the disabled items that I need?

Yes, and both the reason for that and what is required (smb.conf) to have it working was discussed in post #3.